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Traditional OSINT 



• Traditional OSINT is mostly from main 
stream news, compiled summaries, and 
information put out by venders. 

- Good for situational awareness 

- Some excellent analysis on attacks and 
exploits 

- Information can be days or weeks old 

- Doesn’t normally contain strong selectors 
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Research Objectives 



• To compile OSINT information that 
enables CNO operations & analysis 

- Emerging threats 

- Situational awareness 

- Identification of the following: 

• Victims • Capabilities 

• Adversaries • Infrastructure 




TOP SECRET//COMINT//REL TO USA, FVEY 




i P P /{ H f F P 11 A #1 T J M 






Research Objectives 



•To identify strong selectors and unique 
strings from OSINT that can be used 
within SIGINT: 

-To build XKEYSCORE Fingerprints to identify 
the an adversaries capabilities being used 
within SIGINT Collection 

-To identify and task adversaries and their 
infrastructure within SIGINT 

-To identify victims for 4 th Party Collection 
Opportunities 
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Hacker Forums 



• A clever way to collect OSINT information 
from Hacker Forums 

- RSS Feeds 0 

• Automated collection of new and historical posts 

• Allows quicker analysis of posts 

• Leaves no tracks on the forum unlike AIRGAP 

• If enabled, can also get feeds from closed (login 
required) forums. 

• Enables analyst to prioritize other sites without 
RSS feeds for other access operations 
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Hacker Forums 



• Allows for the identification of: 

- Adversaries 

• Those who are building capabilities 

• Those who are selling capabilities 

• Those who are using the capabilities 

• Those who are selling information (Cyber Crime) 

- Capabilities 

• Profiling and understanding of emerging tactics, techniques, 
and procedures used by our adversaries 

• Identification of locations where capabilities can be obtained 
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BalckEnergy D DoS Bot 

by knwSCO 



Hacker Forums 



nuclear siealth mechanisms tindery support muftitargeting ard multirezolving - if the purpose for the attack indicates 
the domain name is created by a group of flows to attack each IP-address attached to this domain (rezolving 
repeated every 15 minutes) 



1 CrtKHf EP MARTIN 






[RAT] Siayer6l6's RAT 1 .2. Fin^f 

by slaysrtjl 6 
Hey Suya r 

i completed the Hrsi Final Build, After some hard work r fixed like 20 liule Bugs and added KeyJoggfng Function +■ Bottor 05UI 
-+ Flag System! 



Screenshot: 




Bundles exploit [yes Exploit System] 

bv Saint 



Welcome forumchanJ 

Sell sploitov ligament. 

Test mix, 1 frame traffic: 

Your browser version prob'va Perce n| 

: nte'net Explorer 5.0 -50-75% 
inteTiet E>plorer 5.1 - 50-7 5% 
^ltETiet E>plarer 5.5 -50-90% 
iite-net Explorer G.O - -35-59% 
iTtemet E^ioi^r 7.0-1 0-1 5% 
iTteTiet Explorer 5 0 - 5-1 0% 
Opera 9.0-9.25 - 75-80% 

Opera 9bx-9.6x- 10-15% 
Opera 1 0.0 - 5 - 1 0 % 

F isFux 1 ,X - 1 5 - 20 % 

F'reFgx 2 ,X - 1 0-1 5 % 

- ire! ox 3.X- 10% 

IVofjI a 5.X - 5-8% 



Create a Zip Bomb - Zip of Death 

Posted by X.H.R.O 



A zip bomb, also known as a Zip of Death, is a malicious archive hie designed to crash or 
render useless the program or system reading it At is often used by virus writers to 
disable antivirus software, so that a more traditional virus sent afterwards could get Into 
system undetected. A zip bomb is usually a small file (up to a few hundred kilobytes) for 
ease of transport and to avoid suspicion. However, when the file is unpacked its contents 
are more than the system can handle. You can make your own zip bomb to annoy your 
friends or just out of curiosity (or wilderness) to experiment with it. Make sure you don't 
detonate it on yourself. 
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Hacker Forums 



0 The following Host Name was requested from a host diabase 

► m.DRMbi, COM 



There was registered attempt to establish co 



here's yourseret r. 
type /serMsr Iwhats 
t here I i 

client 

Outbound traffic (potentially mail clous) 

□ Attention! There was a new §0|P ftf 




nnectiom details 




:Cbb- 3 S 570.5344 



tlSSKHOSr Ck'b-^6 £7 0 5-34 4 

+ x+i 



I - I ■ I ‘B I I - I J I I ■ ■'■■!■ ILI ■■■■■■ .an 




. y S EE auwdHotrj(a,u 0 O : C i?h ■ 

LC II III .1 IS.IJI JI1.I . . J. . - 

USEEHOST Cbb--5 £687344 3 






^jh«& Heuristics Analysis 



liitB'iis the ch: 

nass J 



l and 




r~ 







ed outbo 






•B’ ■ 

P-4* j 
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Hacker Forums 



You need 10 be operator to set die topic. Default password is /oper foo bar; but if they have changed it, DDoS attack it with your hots 
and make sure that you are the first to join! 



Jf you happen to get into a channel with a ton of bots, and the op isnt there, change your nick to a hot's name, or similar, and wait. 



They should type like .login <password> 
dials when you do the same! haha. 



type .login <password> 

then .update h ttp; // vav w. someliQ s t . canvVo u iii 1 e .c xc 
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Malicious Emails 



• Leverage OS I NT to identify the 
infrastructure and source of top virus email 
senders by IP address 

- Based on CISCO IronPort view of 25-30% of 
the worlds email 

- Identifies infrastructure used by adversaries to 
deliver capability 

-Allows SIGINT profiling of activity on the IP 
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Malicious Emails 



Top IOC virus senders by ip address for the last day 10 MAY 20C9 






I? Address 


Hostname 


FW d/ 

Rev 

DNS 


Volume 


vol change 
vs. Avg 


Netvjork Owner 


216, 34 . 161*68 


mx . source forge , net 


Y 


[>.241929 


-24.1762 


SAWIS Communications Corporation 


217,67.228.225 


hosted . by. dwgmedi a . net 




0.14969 


490,543 


Standby Power B.V, range 


210.210.145,51 


mx- corp3 -out . cbn . net , id 


Y 


O. C-40S85 


-60.33 


PT Cyberindo Aditama 


59 . 95 , 152 ,4.2 






0 , 02 12589 


“28 .3654 


NIB (National Internet Backbone) 


69,7.203,227 


mail .allisports.com 


ft 


0, 0159861 


259,837 


AST Dew Tour 


75.19 . 187 . 14 


adsl- 75-19-187 - 14 , del . bltnin * sbcglobal.net 




0 . 0158124 


430.639 


STEELE BEARD ELECTRIC CO 


56*191,129,7 


spamchkmxil . k-opt i . com 


Y 


0 . 0130013 


-54,6573 


K-cpticom corporation 


125. 189. 22Q. 12C 






0.0115957 


735.999 

156.623 


PGHERCOMK 

PoundHost Internet Services 


92.48.118,137 


victorious . eukhost.com 




0.01 354 IS 


203,188,255.3 


dbaka . bangla . ne t 


Y 


0,0101902 


-11,9755 


Information Services Network 


196, 211. 9. 26 






0,00773049 


22,2103 


Internet Solutions 


60 ,250 . 154 . 131 




Y 


0.00667633 


-86.6S25 


CHTD, Chunghwa Telecom Co . , Ltd, 


194.228.41 . 114 


relay, iol , C3 


Y 


0.00650064 


-63.7097 


Czech Telecom a.c. 


121, 189. £3. 190 






0.00614925 


-y. 34094 


Korea Telecom 


71.34 .227,194 


mail, vesd.net 




0.00527079 


166 


CHARTER CCMMUN ICAT IONS 


a7.llfl.ldfl.35 


sh-l 4 8-035 - eg , del .bg 




0.0050951 


961.184 


Davidcv Net PI space 
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Malicious Connections 



• An effort to identify the latest emerging 
threats that are not yet detected by anti- 
virus or IDS/IPS signatures 

- Malicious Binary MD5 (track capability) 

- The adversaries infrastructure that exploited 
systems connect to after being compromised 

-Traffic generated by compromised systems to 
build XKEYSCORE fingerprints 
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Malicious Connections 



Malicious Connections Report 



1 _ 8 MAY 2 00 9 



The £ oil owing home" IPs /Domains sTioulct Joe considered 

malicious and connectivity to them should Toe inV'estigated* 
Systems initiating a connection wittn these IPs /Domains 
stiooiXd treate^^^^omgxodnlsed until tj 

reTriewed .. POC j 





File HD 5 : OxAlBFF 64 FE 8 CB 692 A 8 FlFlDDFE 7 6510 7 F 

File SUA- 1 . : 0xlDEC6B18 BD455EBB3FS2 9E5C24 4OC10BF3 8DC6 9 0 

Filesi^e; 1UB,Q32 tribes 



Category; A malic: ions tnog-an. horse or t>cut that- may 
represcait security jri&ski for t tie compromised* system and/or 
its. network environment 



The- 




Host 



PTemie 



ws .3 



requested from a< host 



database ; 



t>f tmari metre; . net 



T lie 3 - e wa. s rey istered att t to -s s t alb 1 i sir c onne ction with 

tlie ore mote The connect iom details : 

Remote Host Port bTiunrifc^Tr 

to f . but! molie ne t; 4244 

The are ws_s -aL new connection cEst^tliahed with a. remote TPC 
Server , Xlie generated outbound IRC traffic i s provi 
loetlow t 

PASS b£ 

HICK. [00| USA | 030S85] 

USkJR XP-0442 *■ D :COMPUTEElHAMH 
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• NTOC - Signatures for Sensors 

- BLUESASH 

- TUTELAGE (TURBULENCE Defensive) 

- CROSSBONES 

• NSATAO/GCHQ CNE- Counter CNE Ops 

• MHS / NDIST - 4th Party Collection 

• JCMA Cyber - Customer focused CND 

• GOVCERT UK - UK Government CND 
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Malicious Connections 



• (U//FOUO) The following statistics show the number of NTOC DNS 
Alerts that were an exact match for a malicious connection reported in 
the MHSCNO Malicious Connections Report. 



* 



* 



Date 


Total DNS Alerts 


Exact MCR Match 


Percentage 


5/14/09 


22 


13 


59% 


5/1 3/09 


23 


11 


47% 


5/1 2/09 


23 


10 


43% 


5/1 1 /09 


21 


11 


52% 


5/1 0/09 


51 


44 


86% 


5/09/09 


12 


8 


67% 


5/08/09 


52 


44 


85% 


5/07/09 


84 


75 


89% 


5/06/09 


20 


14 


70% 


5/04/09 


107 


66 


62% 


5/03/09 


1 


1 


1 00% 


5/01 /09 


77 


74 


96% 


4/30/09 


82 


71 


87% 


4/29/09 


80 


73 


91% 
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Malicious Connections 



• US/UK/AU Government Email addresses 
passed to exploit server - 1 7 email accounts 

- Discovered using an MHS developed XKEYSCORE 
Fingerprint that was written to identify a malicious 
connection while searching for MENA 4 th Party 
Collection opportunities. 
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ShadowServer Data 



• Sinkhole HTTP Drone Report - All the IP 

addresses that joined the sinkhole server that did 
not join via a referral URL. Since the Sinkhole server 
is only accessed through previously malicious 
domain names only infected systems are in the 
report. 

- Victims / Infrastructure / HTTP Command Strings 
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ShadowServer Data 



• Sandbox URL Report - These are URLs that were 
access by malware. 

- Binary MD5 Hashes / Infrastructure / HTTP Command 
Strings 

* Botnet Drone Report - All the IP addresses that 

were seen joining a known Botnet Command and 
Control Server. 

- Victims / Infrastructure 

• 25 US Government (Federal / State / Local) systems 
communicating with botnets between 5-7 June 2009 






TOP SECRET//COMINT//REL TO USA, FVEY 




1 & C K H f E D 11 A E T J M 






ShadowServer Data 



* Botnet URL Report - Any URL that was seen in a 
botnet channel is reported. The URL could be an 
update, complaint, or information related to the 
criminals. Everything is included in case there is 

something of value in the URL. 

- Infrastructure / Capabilities / HTTP Command Strings 

• DDoS Report - Any DDoS attack is reported 
whether the country is the target or the source of the 
attack. 

- Victims / Infrastructure / Capabilities 
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State Sponsored 



• Example 1 (FBI CN Intrusion Set) 

- Identified MALWARE report for known 
domain. 

- Found another binary which was an exact 
match that revealed a previously 
unassociated domain to this intrusion set 9 
months before first known activity of this 
intrusion set. 

• Infrastructure / Registration / Timeline / MD5 hash 




VlT 




m 
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State Sponsored 



• Example 2 (JTF-GNO CN Intrusion Set) 

- 6 different reports noted the use of a specific 
Chinese developed standalone web server 
software package. 

- Identified 3 new binaries in OSINT malware 
research that also used this exact software 
package. 

• 3 new domains (infrastructure / registration / time 
line / MD5 Hashes) 
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State Sponsored 



• Example 3 (NSA CN Intrusion Set) 

- Identified 2 binaries in OSINT that matched 
those called out in a report with their 
associated malware analysis and MD5 
hashes. 
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Questions? 




